An improper control of the filename used in an include/require statement in the Crocoblock JetCompareWishlist plugin allows an attacker to include arbitrary local files. This local file inclusion can expose confidential data such as configuration files or user credentials and, if a file containing executable code is included, can lead to remote code execution. The vulnerability may be exploited by crafting requests containing a path to sensitive or attacker-provided files within the WordPress environment.

Crocoblock JetCompareWishlist, a WordPress plugin, is affected in all releases up to and including version 1.5.9. Any WordPress site that has installed JetCompareWishlist 1.5.9 or earlier is vulnerable.

The CVSS score of 7.5 indicates moderate to high severity, while an EPSS score of less than 1% suggests a low probability of exploitation in practice. The vulnerability is not listed in the CISA KEV catalog. Exploitation is likely to require the attacker to supply a crafted filename parameter to the plugin’s include logic; if successful, the attacker could read sensitive files or execute code from the web server’s local filesystem. Given the low EPSS, the likelihood of an active exploit is low, but the impact could be significant if the attacker gains file access or code execution. No official workaround is available, so mitigating action must focus on patching or disabling the vulnerable plugin.